About | Buy | Forum | Industry Watch | Learning Curve | Products | Search | Twitter | Xnews
Home » Industry Watch » Coldspots

Statement on the MacGuard Exploit

'I didn't have to enter my password to update. Is this typical for everyone?'


Buy It

Try It

CNET yesterday rang the alarm bells again about a new Mac exploit. We've all heard that one too many times before. And all too often seen - even if we weren't believers - that claims of that sort are pure nonsense. As if cottage industries in the MS Windows market are desperate to break ground in the Unix community and are desperate to keep MS Windows users stuck on that hopeless platform.

A safe and secure Internet is the prerequisite for the proper exploration of the possibilities of the World Wide Web. And any Unix system is heaps better than what Microsoft can ever offer.

But things start to go downhill for Mac users when Apple's 'user experience engineers' come calling with new feature requests. As pointed out here and here, the Safari 4.0.5 update represented a watershed in Mac OS X security - again.

Something Stupid

This isn't the first time something stupid's happened to the platform thanks to interference by Apple's roaming elite. The 'Opener hole' was described by its author as not so much a hole as a crater.

A conscientious network administrator on the west coast of the US, the author tried repeatedly to get Apple to listen but was peremptorily rebuffed by that moronic mantra 'works as designed'.

And indeed it did work as designed: users running unprivileged accounts were able to insert a text file into an unprotected file system area to give themselves a root shell on reboot.

Opener was the easiest rootkit ever seen on any personal platform - including Windows. And it went unfixed for years because the user experience engineers wanted that feature - because it 'worked as designed'.

Something Stupid Again

There's reason to believe the idea at Apple that leads to the MacGuard exploit was needed for software updates for the company's handheld devices. But that's no reason to ever jeopardise the security fundament of the system itself.

Quoting from Topher's CNET article yesterday:

'This program will still require user interaction in order to install, so you will see an installer program running and will have to click through a couple of installation windows in order to get it on your system; however, the difference now is that it can be installed without an administrator password. While this does not change much for people who would install the software anyway, it is an example of why it is important to reserve administrator accounts for administrator purposes only.'

Topher's conclusion that administrator accounts (your default account) should be used sparingly and cautiously is only a 'thumbs down' for the 'rock solid foundation', which is ridiculous. There's nothing wrong with that foundation - only with the user experience engineers who don't understand it, don't have the chops to appreciate it, can't spell 'security' in broad daylight, and keep coming to engineering with their stupid ideas.

Time to Tell Them 'No More'

The benefits accruing to a Mac user are infinitesimal and assume a certain demographic anyway. This demographic certainly applies to Apple's user experience engineers who are amongst the most computer illiterate people in the IT industry. Not having to submit your password when installing critical software is 'user-friendly' in their eyes. But in their eyes only.

'User-friendly' to anyone above their amoebic level is having control of the machine and always being prompted for one's approval when critical things can be about to happen - always being asked permission to do dangerous things.

But Apple engineers - the real kind and not the others - seem to have found a way around the tried and true security of the Unix 'rock solid foundation'. Studying the results of the research at the above links gives a clue how it's done.

  1. Typically Apple's Software Update module will run, check for downloads, etc.
  2. The above program, possibly through a distributed notification, is able to signal an already running root process that a software install is to take place.
  3. The root process gets 'launchd' to spawn a root-owned software update helper module.

That's absolutely nuts. As intimated over one year ago when the articles were published, that's a system that's going to be exploited sooner or later. CNET's article from yesterday intimates it's now happened.

Apple need in such case to address this issue forthwith. They also need to understand that the great majority of their users are more intelligent than their overpaid user experience engineers and find the encumbrance in having to type in their password a petty price to pay in exchange for the security of the 'rock solid foundation' as advertised.

Special Links
Rixstep Coldspots: .SoftwareUpdateAtLogout
Digg: How a Malformed Installer Package Can Crack Mac OS X
Mac Geekery: How a Malformed Installer Package Can Crack Mac OS X
CNET Reviews: Securing your Mac from the new MacGuard malware variant

'I didn't have to enter my password to update. Is this typical for everyone?'
 - 'zapblast' at the MacRumors forums
'The media buzz over Opener went on the better part of a month and was then forgotten, but the fact remains that it is the single biggest security hole ever in the history of modern operating systems. No other operating system has ever offered such effortless escalation to superuser.'
 - Rixstep Industry Watch on Opener 3.9

See Also
Industry Watch: Opener 3.9
Learning Curve: Rooting 10.5.4
Developers Workshop: 061-7784
Industry Watch: Get Root on 10.5.4
Industry Watch: ARDAgent Here to Stay?
Coldspots: The Strange Case of Safari 4.0.5
Learning Curve: Of Sticky Bits & Preferences
Learning Curve: ARDAgent on Snow Leopard
Hotspots: SLIPOC — Root Exploit of Mac OS X
The Technological: Walking into an Apple Store
Red Hat Diaries: Number One at Almost Everything
Learning Curve: Symantec's OS X Threat Landscape
Learning Curve: Rootkits Roam the World of Windows
Industry Watch: For Apple, This is the Year That Wasn't

About | Buy | Forum | Industry Watch | Learning Curve | Products | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.